Realm

Allows for creating and managing Realms within Keycloak.

A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated from multiple sources.

Default Client Scopes

  • default_default_client_scopes - (Optional) A list of default default client scopes to be used for client definitions. Defaults to [] or keycloak’s built-in default default client-scopes.
  • default_optional_client_scopes - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to [] or keycloak’s built-in default optional client-scopes.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
    public MyStack()
    {
        var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
        {
            AccessCodeLifespan = "1h",
            Attributes = 
            {
                { "mycustomAttribute", "myCustomValue" },
            },
            DisplayName = "my realm",
            DisplayNameHtml = "<b>my realm</b>",
            Enabled = true,
            Internationalization = new Keycloak.Inputs.RealmInternationalizationArgs
            {
                DefaultLocale = "en",
                SupportedLocales = 
                {
                    "en",
                    "de",
                    "es",
                },
            },
            LoginTheme = "base",
            PasswordPolicy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
            Realm = "my-realm",
            SecurityDefenses = new Keycloak.Inputs.RealmSecurityDefensesArgs
            {
                BruteForceDetection = new Keycloak.Inputs.RealmSecurityDefensesBruteForceDetectionArgs
                {
                    FailureResetTimeSeconds = 43200,
                    MaxFailureWaitSeconds = 900,
                    MaxLoginFailures = 30,
                    MinimumQuickLoginWaitSeconds = 60,
                    PermanentLockout = false,
                    QuickLoginCheckMilliSeconds = 1000,
                    WaitIncrementSeconds = 60,
                },
                Headers = new Keycloak.Inputs.RealmSecurityDefensesHeadersArgs
                {
                    ContentSecurityPolicy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
                    ContentSecurityPolicyReportOnly = "",
                    StrictTransportSecurity = "max-age=31536000; includeSubDomains",
                    XContentTypeOptions = "nosniff",
                    XFrameOptions = "DENY",
                    XRobotsTag = "none",
                    XXssProtection = "1; mode=block",
                },
            },
            SmtpServer = new Keycloak.Inputs.RealmSmtpServerArgs
            {
                Auth = new Keycloak.Inputs.RealmSmtpServerAuthArgs
                {
                    Password = "password",
                    Username = "tom",
                },
                From = "example@example.com",
                Host = "smtp.example.com",
            },
            SslRequired = "external",
            WebAuthnPolicy = new Keycloak.Inputs.RealmWebAuthnPolicyArgs
            {
                RelyingPartyEntityName = "Example",
                RelyingPartyId = "keycloak.example.com",
                SignatureAlgorithms = 
                {
                    "ES256",
                    "RS256",
                },
            },
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			AccessCodeLifespan: pulumi.String("1h"),
			Attributes: pulumi.AnyMap{
				"mycustomAttribute": pulumi.Any("myCustomValue"),
			},
			DisplayName:     pulumi.String("my realm"),
			DisplayNameHtml: pulumi.String("<b>my realm</b>"),
			Enabled:         pulumi.Bool(true),
			Internationalization: &RealmInternationalizationArgs{
				DefaultLocale: pulumi.String("en"),
				SupportedLocales: pulumi.StringArray{
					pulumi.String("en"),
					pulumi.String("de"),
					pulumi.String("es"),
				},
			},
			LoginTheme:     pulumi.String("base"),
			PasswordPolicy: pulumi.String("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername"),
			Realm:          pulumi.String("my-realm"),
			SecurityDefenses: &RealmSecurityDefensesArgs{
				BruteForceDetection: &RealmSecurityDefensesBruteForceDetectionArgs{
					FailureResetTimeSeconds:      pulumi.Int(43200),
					MaxFailureWaitSeconds:        pulumi.Int(900),
					MaxLoginFailures:             pulumi.Int(30),
					MinimumQuickLoginWaitSeconds: pulumi.Int(60),
					PermanentLockout:             pulumi.Bool(false),
					QuickLoginCheckMilliSeconds:  pulumi.Int(1000),
					WaitIncrementSeconds:         pulumi.Int(60),
				},
				Headers: &RealmSecurityDefensesHeadersArgs{
					ContentSecurityPolicy:           pulumi.String("frame-src 'self'; frame-ancestors 'self'; object-src 'none';"),
					ContentSecurityPolicyReportOnly: pulumi.String(""),
					StrictTransportSecurity:         pulumi.String("max-age=31536000; includeSubDomains"),
					XContentTypeOptions:             pulumi.String("nosniff"),
					XFrameOptions:                   pulumi.String("DENY"),
					XRobotsTag:                      pulumi.String("none"),
					XXssProtection:                  pulumi.String("1; mode=block"),
				},
			},
			SmtpServer: &RealmSmtpServerArgs{
				Auth: &RealmSmtpServerAuthArgs{
					Password: pulumi.String("password"),
					Username: pulumi.String("tom"),
				},
				From: pulumi.String("example@example.com"),
				Host: pulumi.String("smtp.example.com"),
			},
			SslRequired: pulumi.String("external"),
			WebAuthnPolicy: &RealmWebAuthnPolicyArgs{
				RelyingPartyEntityName: pulumi.String("Example"),
				RelyingPartyId:         pulumi.String("keycloak.example.com"),
				SignatureAlgorithms: pulumi.StringArray{
					pulumi.String("ES256"),
					pulumi.String("RS256"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    access_code_lifespan="1h",
    attributes={
        "mycustomAttribute": "myCustomValue",
    },
    display_name="my realm",
    display_name_html="<b>my realm</b>",
    enabled=True,
    internationalization=keycloak.RealmInternationalizationArgs(
        default_locale="en",
        supported_locales=[
            "en",
            "de",
            "es",
        ],
    ),
    login_theme="base",
    password_policy="upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
    realm="my-realm",
    security_defenses=keycloak.RealmSecurityDefensesArgs(
        brute_force_detection=keycloak.RealmSecurityDefensesBruteForceDetectionArgs(
            failure_reset_time_seconds=43200,
            max_failure_wait_seconds=900,
            max_login_failures=30,
            minimum_quick_login_wait_seconds=60,
            permanent_lockout=False,
            quick_login_check_milli_seconds=1000,
            wait_increment_seconds=60,
        ),
        headers=keycloak.RealmSecurityDefensesHeadersArgs(
            content_security_policy="frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
            content_security_policy_report_only="",
            strict_transport_security="max-age=31536000; includeSubDomains",
            x_content_type_options="nosniff",
            x_frame_options="DENY",
            x_robots_tag="none",
            x_xss_protection="1; mode=block",
        ),
    ),
    smtp_server=keycloak.RealmSmtpServerArgs(
        auth=keycloak.RealmSmtpServerAuthArgs(
            password="password",
            username="tom",
        ),
        from_="example@example.com",
        host="smtp.example.com",
    ),
    ssl_required="external",
    web_authn_policy=keycloak.RealmWebAuthnPolicyArgs(
        relying_party_entity_name="Example",
        relying_party_id="keycloak.example.com",
        signature_algorithms=[
            "ES256",
            "RS256",
        ],
    ))
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    accessCodeLifespan: "1h",
    attributes: {
        mycustomAttribute: "myCustomValue",
    },
    displayName: "my realm",
    displayNameHtml: "<b>my realm</b>",
    enabled: true,
    internationalization: {
        defaultLocale: "en",
        supportedLocales: [
            "en",
            "de",
            "es",
        ],
    },
    loginTheme: "base",
    passwordPolicy: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
    realm: "my-realm",
    securityDefenses: {
        bruteForceDetection: {
            failureResetTimeSeconds: 43200,
            maxFailureWaitSeconds: 900,
            maxLoginFailures: 30,
            minimumQuickLoginWaitSeconds: 60,
            permanentLockout: false,
            quickLoginCheckMilliSeconds: 1000,
            waitIncrementSeconds: 60,
        },
        headers: {
            contentSecurityPolicy: "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
            contentSecurityPolicyReportOnly: "",
            strictTransportSecurity: "max-age=31536000; includeSubDomains",
            xContentTypeOptions: "nosniff",
            xFrameOptions: "DENY",
            xRobotsTag: "none",
            xXssProtection: "1; mode=block",
        },
    },
    smtpServer: {
        auth: {
            password: "password",
            username: "tom",
        },
        from: "example@example.com",
        host: "smtp.example.com",
    },
    sslRequired: "external",
    webAuthnPolicy: {
        relyingPartyEntityName: "Example",
        relyingPartyId: "keycloak.example.com",
        signatureAlgorithms: [
            "ES256",
            "RS256",
        ],
    },
});

Create a Realm Resource

new Realm(name: string, args: RealmArgs, opts?: CustomResourceOptions);
@overload
def Realm(resource_name: str,
          opts: Optional[ResourceOptions] = None,
          access_code_lifespan: Optional[str] = None,
          access_code_lifespan_login: Optional[str] = None,
          access_code_lifespan_user_action: Optional[str] = None,
          access_token_lifespan: Optional[str] = None,
          access_token_lifespan_for_implicit_flow: Optional[str] = None,
          account_theme: Optional[str] = None,
          action_token_generated_by_admin_lifespan: Optional[str] = None,
          action_token_generated_by_user_lifespan: Optional[str] = None,
          admin_theme: Optional[str] = None,
          attributes: Optional[Mapping[str, Any]] = None,
          browser_flow: Optional[str] = None,
          client_authentication_flow: Optional[str] = None,
          default_default_client_scopes: Optional[Sequence[str]] = None,
          default_optional_client_scopes: Optional[Sequence[str]] = None,
          default_signature_algorithm: Optional[str] = None,
          direct_grant_flow: Optional[str] = None,
          display_name: Optional[str] = None,
          display_name_html: Optional[str] = None,
          docker_authentication_flow: Optional[str] = None,
          duplicate_emails_allowed: Optional[bool] = None,
          edit_username_allowed: Optional[bool] = None,
          email_theme: Optional[str] = None,
          enabled: Optional[bool] = None,
          internationalization: Optional[RealmInternationalizationArgs] = None,
          login_theme: Optional[str] = None,
          login_with_email_allowed: Optional[bool] = None,
          offline_session_idle_timeout: Optional[str] = None,
          offline_session_max_lifespan: Optional[str] = None,
          offline_session_max_lifespan_enabled: Optional[bool] = None,
          otp_policy: Optional[RealmOtpPolicyArgs] = None,
          password_policy: Optional[str] = None,
          realm: Optional[str] = None,
          refresh_token_max_reuse: Optional[int] = None,
          registration_allowed: Optional[bool] = None,
          registration_email_as_username: Optional[bool] = None,
          registration_flow: Optional[str] = None,
          remember_me: Optional[bool] = None,
          reset_credentials_flow: Optional[str] = None,
          reset_password_allowed: Optional[bool] = None,
          revoke_refresh_token: Optional[bool] = None,
          security_defenses: Optional[RealmSecurityDefensesArgs] = None,
          smtp_server: Optional[RealmSmtpServerArgs] = None,
          ssl_required: Optional[str] = None,
          sso_session_idle_timeout: Optional[str] = None,
          sso_session_idle_timeout_remember_me: Optional[str] = None,
          sso_session_max_lifespan: Optional[str] = None,
          sso_session_max_lifespan_remember_me: Optional[str] = None,
          user_managed_access: Optional[bool] = None,
          verify_email: Optional[bool] = None,
          web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None,
          web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None)
@overload
def Realm(resource_name: str,
          args: RealmArgs,
          opts: Optional[ResourceOptions] = None)
func NewRealm(ctx *Context, name string, args RealmArgs, opts ...ResourceOption) (*Realm, error)
public Realm(string name, RealmArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args RealmArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args RealmArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args RealmArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args RealmArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

Realm Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Realm resource accepts the following input properties:

RealmName string
The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.
AccessCodeLifespan string
The maximum amount of time a client has to finish the authorization code flow.
AccessCodeLifespanLogin string
The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
AccessCodeLifespanUserAction string
The maximum amount of time a user has to complete login related actions, such as updating a password.
AccessTokenLifespan string
The amount of time an access token can be used before it expires.
AccessTokenLifespanForImplicitFlow string
The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
AccountTheme string
Used for account management pages.
ActionTokenGeneratedByAdminLifespan string
The maximum time a user has to use an admin-generated permit before it expires.
ActionTokenGeneratedByUserLifespan string
The maximum time a user has to use a user-generated permit before it expires.
AdminTheme string
Used for the admin console.
Attributes Dictionary<string, object>
A map of custom attributes to add to the realm.
BrowserFlow string
The desired flow for browser authentication. Defaults to browser.
ClientAuthenticationFlow string
The desired flow for client authentication. Defaults to clients.
DefaultDefaultClientScopes List<string>
DefaultOptionalClientScopes List<string>
DefaultSignatureAlgorithm string
Default algorithm used to sign tokens for the realm.
DirectGrantFlow string
The desired flow for direct access authentication. Defaults to direct grant.
DisplayName string
The display name for the realm that is shown when logging in to the admin console.
DisplayNameHtml string
The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
DockerAuthenticationFlow string
The desired flow for Docker authentication. Defaults to docker auth.
DuplicateEmailsAllowed bool
When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
EditUsernameAllowed bool
When true, the username field is editable.
EmailTheme string
Used for emails that are sent by Keycloak.
Enabled bool
When false, users and clients will not be able to access this realm. Defaults to true.
Internationalization RealmInternationalizationArgs
LoginTheme string
Used for the login, forgot password, and registration pages.
LoginWithEmailAllowed bool
When true, users may log in with their email address.
OfflineSessionIdleTimeout string
The amount of time an offline session can be idle before it expires.
OfflineSessionMaxLifespan string
The maximum amount of time before an offline session expires regardless of activity.
OfflineSessionMaxLifespanEnabled bool
Enable offline_session_max_lifespan.
OtpPolicy RealmOtpPolicyArgs
PasswordPolicy string
The password policy for users within the realm.
RefreshTokenMaxReuse int
Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.
RegistrationAllowed bool
When true, user registration will be enabled, and a link for registration will be displayed on the login page.
RegistrationEmailAsUsername bool
When true, the user’s email will be used as their username during registration.
RegistrationFlow string
The desired flow for user registration. Defaults to registration.
RememberMe bool
When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.
ResetCredentialsFlow string
The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
ResetPasswordAllowed bool
When true, a “forgot password” link will be displayed on the login page.
RevokeRefreshToken bool
If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.
SecurityDefenses RealmSecurityDefensesArgs
SmtpServer RealmSmtpServerArgs
SslRequired string
Can be one of following values: ‘none, ‘external’ or ‘all’
SsoSessionIdleTimeout string
The amount of time a session can be idle before it expires.
SsoSessionIdleTimeoutRememberMe string
SsoSessionMaxLifespan string
The maximum amount of time before a session expires regardless of activity.
SsoSessionMaxLifespanRememberMe string
UserManagedAccess bool
When true, users are allowed to manage their own resources. Defaults to false.
VerifyEmail bool
When true, users are required to verify their email address after registration and after email address changes.
WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs
Configuration for WebAuthn Passwordless Policy authentication.
WebAuthnPolicy RealmWebAuthnPolicyArgs
Configuration for WebAuthn Policy authentication.
Realm string
The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.
AccessCodeLifespan string
The maximum amount of time a client has to finish the authorization code flow.
AccessCodeLifespanLogin string
The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
AccessCodeLifespanUserAction string
The maximum amount of time a user has to complete login related actions, such as updating a password.
AccessTokenLifespan string
The amount of time an access token can be used before it expires.
AccessTokenLifespanForImplicitFlow string
The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
AccountTheme string
Used for account management pages.
ActionTokenGeneratedByAdminLifespan string
The maximum time a user has to use an admin-generated permit before it expires.
ActionTokenGeneratedByUserLifespan string
The maximum time a user has to use a user-generated permit before it expires.
AdminTheme string
Used for the admin console.
Attributes map[string]interface{}
A map of custom attributes to add to the realm.
BrowserFlow string
The desired flow for browser authentication. Defaults to browser.
ClientAuthenticationFlow string
The desired flow for client authentication. Defaults to clients.
DefaultDefaultClientScopes []string
DefaultOptionalClientScopes []string
DefaultSignatureAlgorithm string
Default algorithm used to sign tokens for the realm.
DirectGrantFlow string
The desired flow for direct access authentication. Defaults to direct grant.
DisplayName string
The display name for the realm that is shown when logging in to the admin console.
DisplayNameHtml string
The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
DockerAuthenticationFlow string
The desired flow for Docker authentication. Defaults to docker auth.
DuplicateEmailsAllowed bool
When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
EditUsernameAllowed bool
When true, the username field is editable.
EmailTheme string
Used for emails that are sent by Keycloak.
Enabled bool
When false, users and clients will not be able to access this realm. Defaults to true.
Internationalization RealmInternationalizationArgs
LoginTheme string
Used for the login, forgot password, and registration pages.
LoginWithEmailAllowed bool
When true, users may log in with their email address.
OfflineSessionIdleTimeout string
The amount of time an offline session can be idle before it expires.
OfflineSessionMaxLifespan string
The maximum amount of time before an offline session expires regardless of activity.
OfflineSessionMaxLifespanEnabled bool
Enable offline_session_max_lifespan.
OtpPolicy RealmOtpPolicyArgs
PasswordPolicy string
The password policy for users within the realm.
RefreshTokenMaxReuse int
Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.
RegistrationAllowed bool
When true, user registration will be enabled, and a link for registration will be displayed on the login page.
RegistrationEmailAsUsername bool
When true, the user’s email will be used as their username during registration.
RegistrationFlow string
The desired flow for user registration. Defaults to registration.
RememberMe bool
When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.
ResetCredentialsFlow string
The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
ResetPasswordAllowed bool
When true, a “forgot password” link will be displayed on the login page.
RevokeRefreshToken bool
If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.
SecurityDefenses RealmSecurityDefensesArgs
SmtpServer RealmSmtpServerArgs
SslRequired string
Can be one of following values: ‘none, ‘external’ or ‘all’
SsoSessionIdleTimeout string
The amount of time a session can be idle before it expires.
SsoSessionIdleTimeoutRememberMe string
SsoSessionMaxLifespan string
The maximum amount of time before a session expires regardless of activity.
SsoSessionMaxLifespanRememberMe string
UserManagedAccess bool
When true, users are allowed to manage their own resources. Defaults to false.
VerifyEmail bool
When true, users are required to verify their email address after registration and after email address changes.
WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs
Configuration for WebAuthn Passwordless Policy authentication.
WebAuthnPolicy RealmWebAuthnPolicyArgs
Configuration for WebAuthn Policy authentication.
realm string
The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.
accessCodeLifespan string
The maximum amount of time a client has to finish the authorization code flow.
accessCodeLifespanLogin string
The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
accessCodeLifespanUserAction string
The maximum amount of time a user has to complete login related actions, such as updating a password.
accessTokenLifespan string
The amount of time an access token can be used before it expires.
accessTokenLifespanForImplicitFlow string
The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
accountTheme string
Used for account management pages.
actionTokenGeneratedByAdminLifespan string
The maximum time a user has to use an admin-generated permit before it expires.
actionTokenGeneratedByUserLifespan string
The maximum time a user has to use a user-generated permit before it expires.
adminTheme string
Used for the admin console.
attributes {[key: string]: any}
A map of custom attributes to add to the realm.
browserFlow string
The desired flow for browser authentication. Defaults to browser.
clientAuthenticationFlow string
The desired flow for client authentication. Defaults to clients.
defaultDefaultClientScopes string[]
defaultOptionalClientScopes string[]
defaultSignatureAlgorithm string
Default algorithm used to sign tokens for the realm.
directGrantFlow string
The desired flow for direct access authentication. Defaults to direct grant.
displayName string
The display name for the realm that is shown when logging in to the admin console.
displayNameHtml string
The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
dockerAuthenticationFlow string
The desired flow for Docker authentication. Defaults to docker auth.
duplicateEmailsAllowed boolean
When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
editUsernameAllowed boolean
When true, the username field is editable.
emailTheme string
Used for emails that are sent by Keycloak.
enabled boolean
When false, users and clients will not be able to access this realm. Defaults to true.
internationalization RealmInternationalizationArgs
loginTheme string
Used for the login, forgot password, and registration pages.
loginWithEmailAllowed boolean
When true, users may log in with their email address.
offlineSessionIdleTimeout string
The amount of time an offline session can be idle before it expires.
offlineSessionMaxLifespan string
The maximum amount of time before an offline session expires regardless of activity.
offlineSessionMaxLifespanEnabled boolean
Enable offline_session_max_lifespan.
otpPolicy RealmOtpPolicyArgs
passwordPolicy string
The password policy for users within the realm.
refreshTokenMaxReuse number
Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.
registrationAllowed boolean
When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registrationEmailAsUsername boolean
When true, the user’s email will be used as their username during registration.
registrationFlow string
The desired flow for user registration. Defaults to registration.
rememberMe boolean
When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.
resetCredentialsFlow string
The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
resetPasswordAllowed boolean
When true, a “forgot password” link will be displayed on the login page.
revokeRefreshToken boolean
If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.
securityDefenses RealmSecurityDefensesArgs
smtpServer RealmSmtpServerArgs
sslRequired string
Can be one of following values: ‘none, ‘external’ or ‘all’
ssoSessionIdleTimeout string
The amount of time a session can be idle before it expires.
ssoSessionIdleTimeoutRememberMe string
ssoSessionMaxLifespan string
The maximum amount of time before a session expires regardless of activity.
ssoSessionMaxLifespanRememberMe string
userManagedAccess boolean
When true, users are allowed to manage their own resources. Defaults to false.
verifyEmail boolean
When true, users are required to verify their email address after registration and after email address changes.
webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs
Configuration for WebAuthn Passwordless Policy authentication.
webAuthnPolicy RealmWebAuthnPolicyArgs
Configuration for WebAuthn Policy authentication.
realm str
The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.
access_code_lifespan str
The maximum amount of time a client has to finish the authorization code flow.
access_code_lifespan_login str
The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
access_code_lifespan_user_action str
The maximum amount of time a user has to complete login related actions, such as updating a password.
access_token_lifespan str
The amount of time an access token can be used before it expires.
access_token_lifespan_for_implicit_flow str
The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
account_theme str
Used for account management pages.
action_token_generated_by_admin_lifespan str
The maximum time a user has to use an admin-generated permit before it expires.
action_token_generated_by_user_lifespan str
The maximum time a user has to use a user-generated permit before it expires.
admin_theme str
Used for the admin console.
attributes Mapping[str, Any]
A map of custom attributes to add to the realm.
browser_flow str
The desired flow for browser authentication. Defaults to browser.
client_authentication_flow str
The desired flow for client authentication. Defaults to clients.
default_default_client_scopes Sequence[str]
default_optional_client_scopes Sequence[str]
default_signature_algorithm str
Default algorithm used to sign tokens for the realm.
direct_grant_flow str
The desired flow for direct access authentication. Defaults to direct grant.
display_name str
The display name for the realm that is shown when logging in to the admin console.
display_name_html str
The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
docker_authentication_flow str
The desired flow for Docker authentication. Defaults to docker auth.
duplicate_emails_allowed bool
When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
edit_username_allowed bool
When true, the username field is editable.
email_theme str
Used for emails that are sent by Keycloak.
enabled bool
When false, users and clients will not be able to access this realm. Defaults to true.
internationalization RealmInternationalizationArgs
login_theme str
Used for the login, forgot password, and registration pages.
login_with_email_allowed bool
When true, users may log in with their email address.
offline_session_idle_timeout str
The amount of time an offline session can be idle before it expires.
offline_session_max_lifespan str
The maximum amount of time before an offline session expires regardless of activity.
offline_session_max_lifespan_enabled bool
Enable offline_session_max_lifespan.
otp_policy RealmOtpPolicyArgs
password_policy str
The password policy for users within the realm.
refresh_token_max_reuse int
Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.
registration_allowed bool
When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registration_email_as_username bool
When true, the user’s email will be used as their username during registration.
registration_flow str
The desired flow for user registration. Defaults to registration.
remember_me bool
When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.
reset_credentials_flow str
The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
reset_password_allowed bool
When true, a “forgot password” link will be displayed on the login page.
revoke_refresh_token bool
If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.
security_defenses RealmSecurityDefensesArgs
smtp_server RealmSmtpServerArgs
ssl_required str
Can be one of following values: ‘none, ‘external’ or ‘all’
sso_session_idle_timeout str
The amount of time a session can be idle before it expires.
sso_session_idle_timeout_remember_me str
sso_session_max_lifespan str
The maximum amount of time before a session expires regardless of activity.
sso_session_max_lifespan_remember_me str
user_managed_access bool
When true, users are allowed to manage their own resources. Defaults to false.
verify_email bool
When true, users are required to verify their email address after registration and after email address changes.
web_authn_passwordless_policy RealmWebAuthnPasswordlessPolicyArgs
Configuration for WebAuthn Passwordless Policy authentication.
web_authn_policy RealmWebAuthnPolicyArgs
Configuration for WebAuthn Policy authentication.

Outputs

All input properties are implicitly available as output properties. Additionally, the Realm resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
InternalId string
Id string
The provider-assigned unique ID for this managed resource.
InternalId string
id string
The provider-assigned unique ID for this managed resource.
internalId string
id str
The provider-assigned unique ID for this managed resource.
internal_id str

Look up an Existing Realm Resource

Get an existing Realm resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RealmState, opts?: CustomResourceOptions): Realm
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_code_lifespan: Optional[str] = None,
        access_code_lifespan_login: Optional[str] = None,
        access_code_lifespan_user_action: Optional[str] = None,
        access_token_lifespan: Optional[str] = None,
        access_token_lifespan_for_implicit_flow: Optional[str] = None,
        account_theme: Optional[str] = None,
        action_token_generated_by_admin_lifespan: Optional[str] = None,
        action_token_generated_by_user_lifespan: Optional[str] = None,
        admin_theme: Optional[str] = None,
        attributes: Optional[Mapping[str, Any]] = None,
        browser_flow: Optional[str] = None,
        client_authentication_flow: Optional[str] = None,
        default_default_client_scopes: Optional[Sequence[str]] = None,
        default_optional_client_scopes: Optional[Sequence[str]] = None,
        default_signature_algorithm: Optional[str] = None,
        direct_grant_flow: Optional[str] = None,
        display_name: Optional[str] = None,
        display_name_html: Optional[str] = None,
        docker_authentication_flow: Optional[str] = None,
        duplicate_emails_allowed: Optional[bool] = None,
        edit_username_allowed: Optional[bool] = None,
        email_theme: Optional[str] = None,
        enabled: Optional[bool] = None,
        internal_id: Optional[str] = None,
        internationalization: Optional[RealmInternationalizationArgs] = None,
        login_theme: Optional[str] = None,
        login_with_email_allowed: Optional[bool] = None,
        offline_session_idle_timeout: Optional[str] = None,
        offline_session_max_lifespan: Optional[str] = None,
        offline_session_max_lifespan_enabled: Optional[bool] = None,
        otp_policy: Optional[RealmOtpPolicyArgs] = None,
        password_policy: Optional[str] = None,
        realm: Optional[str] = None,
        refresh_token_max_reuse: Optional[int] = None,
        registration_allowed: Optional[bool] = None,
        registration_email_as_username: Optional[bool] = None,
        registration_flow: Optional[str] = None,
        remember_me: Optional[bool] = None,
        reset_credentials_flow: Optional[str] = None,
        reset_password_allowed: Optional[bool] = None,
        revoke_refresh_token: Optional[bool] = None,
        security_defenses: Optional[RealmSecurityDefensesArgs] = None,
        smtp_server: Optional[RealmSmtpServerArgs] = None,
        ssl_required: Optional[str] = None,
        sso_session_idle_timeout: Optional[str] = None,
        sso_session_idle_timeout_remember_me: Optional[str] = None,
        sso_session_max_lifespan: Optional[str] = None,
        sso_session_max_lifespan_remember_me: Optional[str] = None,
        user_managed_access: Optional[bool] = None,
        verify_email: Optional[bool] = None,
        web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None,
        web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None) -> Realm
func GetRealm(ctx *Context, name string, id IDInput, state *RealmState, opts ...ResourceOption) (*Realm, error)
public static Realm Get(string name, Input<string> id, RealmState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessCodeLifespan string
The maximum amount of time a client has to finish the authorization code flow.
AccessCodeLifespanLogin string
The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
AccessCodeLifespanUserAction string
The maximum amount of time a user has to complete login related actions, such as updating a password.
AccessTokenLifespan string
The amount of time an access token can be used before it expires.
AccessTokenLifespanForImplicitFlow string
The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
AccountTheme string
Used for account management pages.
ActionTokenGeneratedByAdminLifespan string
The maximum time a user has to use an admin-generated permit before it expires.
ActionTokenGeneratedByUserLifespan string
The maximum time a user has to use a user-generated permit before it expires.
AdminTheme string
Used for the admin console.
Attributes Dictionary<string, object>
A map of custom attributes to add to the realm.
BrowserFlow string
The desired flow for browser authentication. Defaults to browser.
ClientAuthenticationFlow string
The desired flow for client authentication. Defaults to clients.
DefaultDefaultClientScopes List<string>
DefaultOptionalClientScopes List<string>
DefaultSignatureAlgorithm string
Default algorithm used to sign tokens for the realm.
DirectGrantFlow string
The desired flow for direct access authentication. Defaults to direct grant.
DisplayName string
The display name for the realm that is shown when logging in to the admin console.
DisplayNameHtml string
The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
DockerAuthenticationFlow string
The desired flow for Docker authentication. Defaults to docker auth.
DuplicateEmailsAllowed bool
When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
EditUsernameAllowed bool
When true, the username field is editable.
EmailTheme string
Used for emails that are sent by Keycloak.
Enabled bool
When false, users and clients will not be able to access this realm. Defaults to true.
InternalId string
Internationalization RealmInternationalizationArgs
LoginTheme string
Used for the login, forgot password, and registration pages.
LoginWithEmailAllowed bool
When true, users may log in with their email address.
OfflineSessionIdleTimeout string
The amount of time an offline session can be idle before it expires.
OfflineSessionMaxLifespan string
The maximum amount of time before an offline session expires regardless of activity.
OfflineSessionMaxLifespanEnabled bool
Enable offline_session_max_lifespan.
OtpPolicy RealmOtpPolicyArgs
PasswordPolicy string
The password policy for users within the realm.
RealmName string
The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.
RefreshTokenMaxReuse int
Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.
RegistrationAllowed bool
When true, user registration will be enabled, and a link for registration will be displayed on the login page.
RegistrationEmailAsUsername bool
When true, the user’s email will be used as their username during registration.
RegistrationFlow string
The desired flow for user registration. Defaults to registration.
RememberMe bool
When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.
ResetCredentialsFlow string
The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
ResetPasswordAllowed bool
When true, a “forgot password” link will be displayed on the login page.
RevokeRefreshToken bool
If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.
SecurityDefenses RealmSecurityDefensesArgs
SmtpServer RealmSmtpServerArgs
SslRequired string
Can be one of following values: ‘none, ‘external’ or ‘all’
SsoSessionIdleTimeout string
The amount of time a session can be idle before it expires.
SsoSessionIdleTimeoutRememberMe string
SsoSessionMaxLifespan string
The maximum amount of time before a session expires regardless of activity.
SsoSessionMaxLifespanRememberMe string
UserManagedAccess bool
When true, users are allowed to manage their own resources. Defaults to false.
VerifyEmail bool
When true, users are required to verify their email address after registration and after email address changes.
WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs
Configuration for WebAuthn Passwordless Policy authentication.
WebAuthnPolicy RealmWebAuthnPolicyArgs
Configuration for WebAuthn Policy authentication.
AccessCodeLifespan string
The maximum amount of time a client has to finish the authorization code flow.
AccessCodeLifespanLogin string
The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
AccessCodeLifespanUserAction string
The maximum amount of time a user has to complete login related actions, such as updating a password.
AccessTokenLifespan string
The amount of time an access token can be used before it expires.
AccessTokenLifespanForImplicitFlow string
The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
AccountTheme string
Used for account management pages.
ActionTokenGeneratedByAdminLifespan string
The maximum time a user has to use an admin-generated permit before it expires.
ActionTokenGeneratedByUserLifespan string
The maximum time a user has to use a user-generated permit before it expires.
AdminTheme string
Used for the admin console.
Attributes map[string]interface{}
A map of custom attributes to add to the realm.
BrowserFlow string
The desired flow for browser authentication. Defaults to browser.
ClientAuthenticationFlow string
The desired flow for client authentication. Defaults to clients.
DefaultDefaultClientScopes []string
DefaultOptionalClientScopes []string
DefaultSignatureAlgorithm string
Default algorithm used to sign tokens for the realm.
DirectGrantFlow string
The desired flow for direct access authentication. Defaults to direct grant.
DisplayName string
The display name for the realm that is shown when logging in to the admin console.
DisplayNameHtml string
The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
DockerAuthenticationFlow string
The desired flow for Docker authentication. Defaults to docker auth.
DuplicateEmailsAllowed bool
When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
EditUsernameAllowed bool
When true, the username field is editable.
EmailTheme string
Used for emails that are sent by Keycloak.
Enabled bool
When false, users and clients will not be able to access this realm. Defaults to true.
InternalId string
Internationalization RealmInternationalizationArgs
LoginTheme string
Used for the login, forgot password, and registration pages.
LoginWithEmailAllowed bool
When true, users may log in with their email address.
OfflineSessionIdleTimeout string
The amount of time an offline session can be idle before it expires.
OfflineSessionMaxLifespan string
The maximum amount of time before an offline session expires regardless of activity.
OfflineSessionMaxLifespanEnabled bool
Enable offline_session_max_lifespan.
OtpPolicy RealmOtpPolicyArgs
PasswordPolicy string
The password policy for users within the realm.
Realm string
The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.
RefreshTokenMaxReuse int
Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.
RegistrationAllowed bool
When true, user registration will be enabled, and a link for registration will be displayed on the login page.
RegistrationEmailAsUsername bool
When true, the user’s email will be used as their username during registration.
RegistrationFlow string
The desired flow for user registration. Defaults to registration.
RememberMe bool
When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.
ResetCredentialsFlow string
The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
ResetPasswordAllowed bool
When true, a “forgot password” link will be displayed on the login page.
RevokeRefreshToken bool
If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.
SecurityDefenses RealmSecurityDefensesArgs
SmtpServer RealmSmtpServerArgs
SslRequired string
Can be one of following values: ‘none, ‘external’ or ‘all’
SsoSessionIdleTimeout string
The amount of time a session can be idle before it expires.
SsoSessionIdleTimeoutRememberMe string
SsoSessionMaxLifespan string
The maximum amount of time before a session expires regardless of activity.
SsoSessionMaxLifespanRememberMe string
UserManagedAccess bool
When true, users are allowed to manage their own resources. Defaults to false.
VerifyEmail bool
When true, users are required to verify their email address after registration and after email address changes.
WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs
Configuration for WebAuthn Passwordless Policy authentication.
WebAuthnPolicy RealmWebAuthnPolicyArgs
Configuration for WebAuthn Policy authentication.
accessCodeLifespan string
The maximum amount of time a client has to finish the authorization code flow.
accessCodeLifespanLogin string
The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
accessCodeLifespanUserAction string
The maximum amount of time a user has to complete login related actions, such as updating a password.
accessTokenLifespan string
The amount of time an access token can be used before it expires.
accessTokenLifespanForImplicitFlow string
The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
accountTheme string
Used for account management pages.
actionTokenGeneratedByAdminLifespan string
The maximum time a user has to use an admin-generated permit before it expires.
actionTokenGeneratedByUserLifespan string
The maximum time a user has to use a user-generated permit before it expires.
adminTheme string
Used for the admin console.
attributes {[key: string]: any}
A map of custom attributes to add to the realm.
browserFlow string
The desired flow for browser authentication. Defaults to browser.
clientAuthenticationFlow string
The desired flow for client authentication. Defaults to clients.
defaultDefaultClientScopes string[]
defaultOptionalClientScopes string[]
defaultSignatureAlgorithm string
Default algorithm used to sign tokens for the realm.
directGrantFlow string
The desired flow for direct access authentication. Defaults to direct grant.
displayName string
The display name for the realm that is shown when logging in to the admin console.
displayNameHtml string
The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
dockerAuthenticationFlow string
The desired flow for Docker authentication. Defaults to docker auth.
duplicateEmailsAllowed boolean
When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
editUsernameAllowed boolean
When true, the username field is editable.
emailTheme string
Used for emails that are sent by Keycloak.
enabled boolean
When false, users and clients will not be able to access this realm. Defaults to true.
internalId string
internationalization RealmInternationalizationArgs
loginTheme string
Used for the login, forgot password, and registration pages.
loginWithEmailAllowed boolean
When true, users may log in with their email address.
offlineSessionIdleTimeout string
The amount of time an offline session can be idle before it expires.
offlineSessionMaxLifespan string
The maximum amount of time before an offline session expires regardless of activity.
offlineSessionMaxLifespanEnabled boolean
Enable offline_session_max_lifespan.
otpPolicy RealmOtpPolicyArgs
passwordPolicy string
The password policy for users within the realm.
realm string
The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.
refreshTokenMaxReuse number
Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.
registrationAllowed boolean
When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registrationEmailAsUsername boolean
When true, the user’s email will be used as their username during registration.
registrationFlow string
The desired flow for user registration. Defaults to registration.
rememberMe boolean
When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.
resetCredentialsFlow string
The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
resetPasswordAllowed boolean
When true, a “forgot password” link will be displayed on the login page.
revokeRefreshToken boolean
If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.
securityDefenses RealmSecurityDefensesArgs
smtpServer RealmSmtpServerArgs
sslRequired string
Can be one of following values: ‘none, ‘external’ or ‘all’
ssoSessionIdleTimeout string
The amount of time a session can be idle before it expires.
ssoSessionIdleTimeoutRememberMe string
ssoSessionMaxLifespan string
The maximum amount of time before a session expires regardless of activity.
ssoSessionMaxLifespanRememberMe string
userManagedAccess boolean
When true, users are allowed to manage their own resources. Defaults to false.
verifyEmail boolean
When true, users are required to verify their email address after registration and after email address changes.
webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs
Configuration for WebAuthn Passwordless Policy authentication.
webAuthnPolicy RealmWebAuthnPolicyArgs
Configuration for WebAuthn Policy authentication.
access_code_lifespan str
The maximum amount of time a client has to finish the authorization code flow.
access_code_lifespan_login str
The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
access_code_lifespan_user_action str
The maximum amount of time a user has to complete login related actions, such as updating a password.
access_token_lifespan str
The amount of time an access token can be used before it expires.
access_token_lifespan_for_implicit_flow str
The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
account_theme str
Used for account management pages.
action_token_generated_by_admin_lifespan str
The maximum time a user has to use an admin-generated permit before it expires.
action_token_generated_by_user_lifespan str
The maximum time a user has to use a user-generated permit before it expires.
admin_theme str
Used for the admin console.
attributes Mapping[str, Any]
A map of custom attributes to add to the realm.
browser_flow str
The desired flow for browser authentication. Defaults to browser.
client_authentication_flow str
The desired flow for client authentication. Defaults to clients.
default_default_client_scopes Sequence[str]
default_optional_client_scopes Sequence[str]
default_signature_algorithm str
Default algorithm used to sign tokens for the realm.
direct_grant_flow str
The desired flow for direct access authentication. Defaults to direct grant.
display_name str
The display name for the realm that is shown when logging in to the admin console.
display_name_html str
The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
docker_authentication_flow str
The desired flow for Docker authentication. Defaults to docker auth.
duplicate_emails_allowed bool
When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
edit_username_allowed bool
When true, the username field is editable.
email_theme str
Used for emails that are sent by Keycloak.
enabled bool
When false, users and clients will not be able to access this realm. Defaults to true.
internal_id str
internationalization RealmInternationalizationArgs
login_theme str
Used for the login, forgot password, and registration pages.
login_with_email_allowed bool
When true, users may log in with their email address.
offline_session_idle_timeout str
The amount of time an offline session can be idle before it expires.
offline_session_max_lifespan str
The maximum amount of time before an offline session expires regardless of activity.
offline_session_max_lifespan_enabled bool
Enable offline_session_max_lifespan.
otp_policy RealmOtpPolicyArgs
password_policy str
The password policy for users within the realm.
realm str
The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.
refresh_token_max_reuse int
Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.
registration_allowed bool
When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registration_email_as_username bool
When true, the user’s email will be used as their username during registration.
registration_flow str
The desired flow for user registration. Defaults to registration.
remember_me bool
When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.
reset_credentials_flow str
The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
reset_password_allowed bool
When true, a “forgot password” link will be displayed on the login page.
revoke_refresh_token bool
If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.
security_defenses RealmSecurityDefensesArgs
smtp_server RealmSmtpServerArgs
ssl_required str
Can be one of following values: ‘none, ‘external’ or ‘all’
sso_session_idle_timeout str
The amount of time a session can be idle before it expires.
sso_session_idle_timeout_remember_me str
sso_session_max_lifespan str
The maximum amount of time before a session expires regardless of activity.
sso_session_max_lifespan_remember_me str
user_managed_access bool
When true, users are allowed to manage their own resources. Defaults to false.
verify_email bool
When true, users are required to verify their email address after registration and after email address changes.
web_authn_passwordless_policy RealmWebAuthnPasswordlessPolicyArgs
Configuration for WebAuthn Passwordless Policy authentication.
web_authn_policy RealmWebAuthnPolicyArgs
Configuration for WebAuthn Policy authentication.

Supporting Types

RealmInternationalization

DefaultLocale string
The locale to use by default. This locale code must be present within the supported_locales list.
SupportedLocales List<string>
A list of ISO 639-1 locale codes that the realm should support.
DefaultLocale string
The locale to use by default. This locale code must be present within the supported_locales list.
SupportedLocales []string
A list of ISO 639-1 locale codes that the realm should support.
defaultLocale string
The locale to use by default. This locale code must be present within the supported_locales list.
supportedLocales string[]
A list of ISO 639-1 locale codes that the realm should support.
default_locale str
The locale to use by default. This locale code must be present within the supported_locales list.
supported_locales Sequence[str]
A list of ISO 639-1 locale codes that the realm should support.

RealmOtpPolicy

Algorithm string
What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
Digits int
How many digits the OTP have. Defaults to 6.
InitialCounter int
What should the initial counter value be. Defaults to 2.
LookAheadWindow int
How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.
Period int
How many seconds should an OTP token be valid. Defaults to 30.
Type string
One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.
Algorithm string
What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
Digits int
How many digits the OTP have. Defaults to 6.
InitialCounter int
What should the initial counter value be. Defaults to 2.
LookAheadWindow int
How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.
Period int
How many seconds should an OTP token be valid. Defaults to 30.
Type string
One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.
algorithm string
What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
digits number
How many digits the OTP have. Defaults to 6.
initialCounter number
What should the initial counter value be. Defaults to 2.
lookAheadWindow number
How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.
period number
How many seconds should an OTP token be valid. Defaults to 30.
type string
One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.
algorithm str
What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
digits int
How many digits the OTP have. Defaults to 6.
initial_counter int
What should the initial counter value be. Defaults to 2.
look_ahead_window int
How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.
period int
How many seconds should an OTP token be valid. Defaults to 30.
type str
One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

RealmSecurityDefenses

RealmSecurityDefensesBruteForceDetection

FailureResetTimeSeconds int
When will failure count be reset?
MaxFailureWaitSeconds int
MaxLoginFailures int
How many failures before wait is triggered.
MinimumQuickLoginWaitSeconds int

How long to wait after a quick login failure.

  • max_failure_wait_seconds - (Optional) Max. time a user will be locked out.
PermanentLockout bool
When true, this will lock the user permanently when the user exceeds the maximum login failures.
QuickLoginCheckMilliSeconds int
Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
WaitIncrementSeconds int
This represents the amount of time a user should be locked out when the login failure threshold has been met.
FailureResetTimeSeconds int
When will failure count be reset?
MaxFailureWaitSeconds int
MaxLoginFailures int
How many failures before wait is triggered.
MinimumQuickLoginWaitSeconds int

How long to wait after a quick login failure.

  • max_failure_wait_seconds - (Optional) Max. time a user will be locked out.
PermanentLockout bool
When true, this will lock the user permanently when the user exceeds the maximum login failures.
QuickLoginCheckMilliSeconds int
Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
WaitIncrementSeconds int
This represents the amount of time a user should be locked out when the login failure threshold has been met.
failureResetTimeSeconds number
When will failure count be reset?
maxFailureWaitSeconds number
maxLoginFailures number
How many failures before wait is triggered.
minimumQuickLoginWaitSeconds number

How long to wait after a quick login failure.

  • max_failure_wait_seconds - (Optional) Max. time a user will be locked out.
permanentLockout boolean
When true, this will lock the user permanently when the user exceeds the maximum login failures.
quickLoginCheckMilliSeconds number
Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
waitIncrementSeconds number
This represents the amount of time a user should be locked out when the login failure threshold has been met.
failure_reset_time_seconds int
When will failure count be reset?
max_failure_wait_seconds int
max_login_failures int
How many failures before wait is triggered.
minimum_quick_login_wait_seconds int

How long to wait after a quick login failure.

  • max_failure_wait_seconds - (Optional) Max. time a user will be locked out.
permanent_lockout bool
When true, this will lock the user permanently when the user exceeds the maximum login failures.
quick_login_check_milli_seconds int
Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
wait_increment_seconds int
This represents the amount of time a user should be locked out when the login failure threshold has been met.

RealmSecurityDefensesHeaders

ContentSecurityPolicy string
Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
ContentSecurityPolicyReportOnly string
Used for testing Content Security Policies.
StrictTransportSecurity string
The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
XContentTypeOptions string
Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
XFrameOptions string
Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
XRobotsTag string
Prevent pages from appearing in search engines.
XXssProtection string
This header configures the Cross-site scripting (XSS) filter in your browser.
ContentSecurityPolicy string
Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
ContentSecurityPolicyReportOnly string
Used for testing Content Security Policies.
StrictTransportSecurity string
The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
XContentTypeOptions string
Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
XFrameOptions string
Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
XRobotsTag string
Prevent pages from appearing in search engines.
XXssProtection string
This header configures the Cross-site scripting (XSS) filter in your browser.
contentSecurityPolicy string
Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
contentSecurityPolicyReportOnly string
Used for testing Content Security Policies.
strictTransportSecurity string
The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
xContentTypeOptions string
Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
xFrameOptions string
Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
xRobotsTag string
Prevent pages from appearing in search engines.
xXssProtection string
This header configures the Cross-site scripting (XSS) filter in your browser.
content_security_policy str
Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
content_security_policy_report_only str
Used for testing Content Security Policies.
strict_transport_security str
The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
x_content_type_options str
Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
x_frame_options str
Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
x_robots_tag str
Prevent pages from appearing in search engines.
x_xss_protection str
This header configures the Cross-site scripting (XSS) filter in your browser.

RealmSmtpServer

From string
The email address for the sender.
Host string
The host of the SMTP server.
Auth RealmSmtpServerAuth
Enables authentication to the SMTP server. This block supports the following arguments:
EnvelopeFrom string
The email address uses for bounces.
FromDisplayName string
The display name of the sender email address.
Port string
The port of the SMTP server (defaults to 25).
ReplyTo string
The “reply to” email address.
ReplyToDisplayName string
The display name of the “reply to” email address.
Ssl bool
When true, enables SSL. Defaults to false.
Starttls bool
When true, enables StartTLS. Defaults to false.
From string
The email address for the sender.
Host string
The host of the SMTP server.
Auth RealmSmtpServerAuth
Enables authentication to the SMTP server. This block supports the following arguments:
EnvelopeFrom string
The email address uses for bounces.
FromDisplayName string
The display name of the sender email address.
Port string
The port of the SMTP server (defaults to 25).
ReplyTo string
The “reply to” email address.
ReplyToDisplayName string
The display name of the “reply to” email address.
Ssl bool
When true, enables SSL. Defaults to false.
Starttls bool
When true, enables StartTLS. Defaults to false.
from string
The email address for the sender.
host string
The host of the SMTP server.
auth RealmSmtpServerAuth
Enables authentication to the SMTP server. This block supports the following arguments:
envelopeFrom string
The email address uses for bounces.
fromDisplayName string
The display name of the sender email address.
port string
The port of the SMTP server (defaults to 25).
replyTo string
The “reply to” email address.
replyToDisplayName string
The display name of the “reply to” email address.
ssl boolean
When true, enables SSL. Defaults to false.
starttls boolean
When true, enables StartTLS. Defaults to false.
from_ str
The email address for the sender.
host str
The host of the SMTP server.
auth RealmSmtpServerAuth
Enables authentication to the SMTP server. This block supports the following arguments:
envelope_from str
The email address uses for bounces.
from_display_name str
The display name of the sender email address.
port str
The port of the SMTP server (defaults to 25).
reply_to str
The “reply to” email address.
reply_to_display_name str
The display name of the “reply to” email address.
ssl bool
When true, enables SSL. Defaults to false.
starttls bool
When true, enables StartTLS. Defaults to false.

RealmSmtpServerAuth

Password string
The SMTP server password.
Username string
The SMTP server username.
Password string
The SMTP server password.
Username string
The SMTP server username.
password string
The SMTP server password.
username string
The SMTP server username.
password str
The SMTP server password.
username str
The SMTP server username.

RealmWebAuthnPasswordlessPolicy

AcceptableAaguids List<string>
A set of AAGUIDs for which an authenticator can be registered.
AttestationConveyancePreference string
The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
AuthenticatorAttachment string
The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
AvoidSameAuthenticatorRegister bool
When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
CreateTimeout int
The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
RelyingPartyEntityName string
A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
RelyingPartyId string
The WebAuthn relying party ID.
RequireResidentKey string
Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
SignatureAlgorithms List<string>
A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
UserVerificationRequirement string
Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.
AcceptableAaguids []string
A set of AAGUIDs for which an authenticator can be registered.
AttestationConveyancePreference string
The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
AuthenticatorAttachment string
The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
AvoidSameAuthenticatorRegister bool
When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
CreateTimeout int
The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
RelyingPartyEntityName string
A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
RelyingPartyId string
The WebAuthn relying party ID.
RequireResidentKey string
Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
SignatureAlgorithms []string
A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
UserVerificationRequirement string
Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.
acceptableAaguids string[]
A set of AAGUIDs for which an authenticator can be registered.
attestationConveyancePreference string
The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticatorAttachment string
The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoidSameAuthenticatorRegister boolean
When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
createTimeout number
The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relyingPartyEntityName string
A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relyingPartyId string
The WebAuthn relying party ID.
requireResidentKey string
Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signatureAlgorithms string[]
A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
userVerificationRequirement string
Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.
acceptable_aaguids Sequence[str]
A set of AAGUIDs for which an authenticator can be registered.
attestation_conveyance_preference str
The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticator_attachment str
The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoid_same_authenticator_register bool
When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
create_timeout int
The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relying_party_entity_name str
A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relying_party_id str
The WebAuthn relying party ID.
require_resident_key str
Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signature_algorithms Sequence[str]
A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
user_verification_requirement str
Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

RealmWebAuthnPolicy

AcceptableAaguids List<string>
A set of AAGUIDs for which an authenticator can be registered.
AttestationConveyancePreference string
The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
AuthenticatorAttachment string
The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
AvoidSameAuthenticatorRegister bool
When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
CreateTimeout int
The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
RelyingPartyEntityName string
A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
RelyingPartyId string
The WebAuthn relying party ID.
RequireResidentKey string
Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
SignatureAlgorithms List<string>
A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
UserVerificationRequirement string
Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.
AcceptableAaguids []string
A set of AAGUIDs for which an authenticator can be registered.
AttestationConveyancePreference string
The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
AuthenticatorAttachment string
The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
AvoidSameAuthenticatorRegister bool
When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
CreateTimeout int
The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
RelyingPartyEntityName string
A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
RelyingPartyId string
The WebAuthn relying party ID.
RequireResidentKey string
Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
SignatureAlgorithms []string
A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
UserVerificationRequirement string
Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.
acceptableAaguids string[]
A set of AAGUIDs for which an authenticator can be registered.
attestationConveyancePreference string
The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticatorAttachment string
The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoidSameAuthenticatorRegister boolean
When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
createTimeout number
The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relyingPartyEntityName string
A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relyingPartyId string
The WebAuthn relying party ID.
requireResidentKey string
Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signatureAlgorithms string[]
A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
userVerificationRequirement string
Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.
acceptable_aaguids Sequence[str]
A set of AAGUIDs for which an authenticator can be registered.
attestation_conveyance_preference str
The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticator_attachment str
The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoid_same_authenticator_register bool
When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
create_timeout int
The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relying_party_entity_name str
A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relying_party_id str
The WebAuthn relying party ID.
require_resident_key str
Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signature_algorithms Sequence[str]
A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
user_verification_requirement str
Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

Import

Realms can be imported using their name. Examplebash

 $ pulumi import keycloak:index/realm:Realm realm my-realm

Package Details

Repository
https://github.com/pulumi/pulumi-keycloak
License
Apache-2.0
Notes
This Pulumi package is based on the keycloak Terraform Provider.